CVE-2018-20676
Cross-Site Scripting (XSS) vulnerability in bootstrap (npm)
What is CVE-2018-20676 About?
This Cross-Site Scripting (XSS) vulnerability was found in Bootstrap before version 3.4.0, specifically within the tooltip data-viewport attribute. An attacker can inject malicious scripts, potentially leading to session hijacking or unauthorized actions through client-side code execution. Exploitation requires user interaction to render the crafted tooltip.
Affected Software
- bootstrap
- <3.4.0
- <3.4.0
- <3.4.0
- bootstrap-sass
- <3.4.0
- <3.4.0
- twbs/bootstrap
- <3.4.0
- org.webjars:bootstrap
- <3.4.0
Technical Details
The XSS vulnerability in Bootstrap before 3.4.0 occurs because the tooltip's data-viewport attribute is not properly sanitized before being used in the DOM, or before being interpreted by the browser. If an attacker can control the content of the data-viewport attribute, they can inject malicious JavaScript code. When a user interacts with an element that triggers this tooltip (e.g., hovering over it), the malicious script embedded in the data-viewport attribute will be executed in the context of the user's browser, leading to XSS.
What is the Impact of CVE-2018-20676?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser context, leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2018-20676?
Exploitation of this XSS vulnerability is moderately complex, requiring an attacker to inject malicious data into the data-viewport attribute of a Bootstrap tooltip component. This usually happens via another vulnerability (e.g., an unvalidated input field on a web page) or by tricking a user into clicking a specially crafted link that loads a page containing the injected content. User interaction (like hovering over the crafted element) is often required to trigger the payload. No authentication is typically needed to view the crafted content, and it is a remote attack. The risk factor increases in applications that allow user-supplied content to be rendered on pages without strict output encoding, especially when using Bootstrap tooltips.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-20676?
About the Fix from Resolved Security
The patch ensures that selector options like container, parent, and viewport are only resolved within the document context using $(document).find(...) instead of direct $() calls, preventing attackers from injecting arbitrary HTML that jQuery would incorrectly interpret as a selector. This prevents XSS vulnerabilities such as those described in CVE-2018-20676, where malicious input could execute JavaScript in the browser context if improperly parsed. The new error handling in the tests confirms that unsafe selector expressions now throw an exception, effectively mitigating the risk.
Available Upgrade Options
- org.webjars:bootstrap
- <3.4.0 → Upgrade to 3.4.0
- bootstrap-sass
- <3.4.0 → Upgrade to 3.4.0
- bootstrap
- <3.4.0 → Upgrade to 3.4.0
- twbs/bootstrap
- <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3023
- https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
- https://github.com/twbs/bootstrap
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://github.com/twbs/bootstrap/issues/27044
- https://nvd.nist.gov/vuln/detail/CVE-2018-20676
- https://access.redhat.com/errata/RHBA-2019:1570
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2018-20676.yml
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHBA-2019:1076
What are Similar Vulnerabilities to CVE-2018-20676?
Similar Vulnerabilities: CVE-2015-6804 , CVE-2016-10735 , CVE-2018-1000600 , CVE-2019-14781 , CVE-2021-23380
